Critical Unpatched Flaw Disclosed in WordPress WooCommerce Extension

If you own an eCommerce website built on WordPress and powered by WooCommerce plugin, then beware of a new, unpatched vulnerability that has been made public and could allow attackers to compromise your online store.

A WordPress security company—called “Plugin Vulnerabilities”—that recently gone rogue in order to protest against moderators of the WordPress’s official support forum has once again dropped details and proof-of-concept exploit for a critical flaw in a widely-used WordPress plugin.

To be clear, the reported unpatched vulnerability doesn’t reside in the WordPress core or WooCommerce plugin itself.

Instead, the vulnerability exists in a plugin, called WooCommerce Checkout Manager, that extends the functionality of WooCommerce by allowing eCommerce sites to customize forms on their checkout pages and is currently being used by more than 60,000 websites.

The vulnerability in question is an “arbitrary file upload” issue that can be exploited by unauthenticated, remote attackers if the vulnerable sites have “Categorize Uploaded Files” option enabled within WooCommerce Checkout Manager plugin settings.

“From the more technical aspect, vulnerability occurs inside ‘includes/admin.php’ file at line 2084 on which application is moving given files to a directory using ‘move_uploaded_file’ without prior proper check for allowed files,” explains a blog post published Thursday by web application security platform WebARX, who warned their users after Plugin Vulnerabilities made the flaw public.

If exploited, the flaw could allow attackers to execute arbitrary server-side script code in the context of the web server process and compromise the application to access or modify data or gain administrative access.

WooCommerce Checkout Manager version 4.2.6, which is the latest available plugin at the time of writing, is vulnerable to this issue.

If your WordPress website is using this plugin, you are advised to either disable “Categorize Uploaded Files” option in the setting or disable the plugin completely until a new patched version becomes available.

This is not the first time when the company called Plugin Vulnerabilities inappropriately disclosed an unpatched flaw in the public.

The company has continuously been disclosing vulnerabilities in various WordPress plugins since after they had issues with the WordPress forum moderators.

Since at least past two years the team behind Plugin Vulnerabilities has deliberately been releasing details of newly discovered vulnerabilities directly on the WordPress Support forum, instead of reporting them to the respective plugin authors directly, violating the forum’s rules.

In response to this inappropriate behavior, the WordPress.org moderators eventually blacklisted Plugin Vulnerabilities from their official forum after multiple warnings and banning all their accounts.

However, this did not stop Plugin Vulnerabilities, who since then started disclosing details of new, unpatched WordPress plugin vulnerabilities on their own website, putting the whole ecosystem, websites and their users at risk.